Security updates to wheezy-backports vs. -sloppy
openssh/wheezy-backports needs to be updated for recent CVEs which were
fixed in 1:7.1p2-1. I can upload a straightforward backport of
1:7.1p2-1 since it's now in testing, but this is newer than the version
in stable so it would have to go to wheezy-backports-sloppy. (There are
also a few older CVEs from the 6.9 era which should be fixed, and these
have the same problem.)
Can somebody confirm that the correct procedure for this would be as
follows?
* upload 1:6.7p1-5~bpo70+1 to wheezy-backports, based on 1:6.7p1-5 in
jessie but with the addition of cherry-picked patches to fix security
bugs
* upload 1:7.1p2-1~bpo7+1 to wheezy-backports-sloppy and
1:7.1p2-1~bpo8-1 to jessie-backports (not required, but I'd like to
support this)
Mainly I just want to confirm that it's OK to cherry-pick security
patches in this way, rather than the alternative of telling
wheezy-backports users that they have to use wheezy-backports-sloppy to
get security fixes.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: